Bank offers $20 gift certificate as compensation for privacy violation

PIPEDA Case Summary #2002-33

[Principles 4.5 and 4.7, Schedule 1; and section 5(3)]

Complaint

A client complained that her bank had improperly disclosed her personal information, specifically an indication of her recent bankruptcy, in the address window of her bank statement.

Summary of Investigation

The complainant had received by regular mail a statement of account from the bank in question. She was upset to see, through the address window of the unopened envelope, a notation to the effect that she was bankrupt as of a certain date. Owing to the closeness of the small community in which she resided, the complainant was concerned that others of her acquaintance, notably the postmaster, might have noticed the reference to the private financial matter of her recent bankruptcy. When she complained directly, the bank responded with a verbal apology and a $20 gift certificate for a department store. Considering this response inappropriate, the complainant then took her case to the Office of the Privacy Commissioner.

The bank never disputed the complainant's allegation. Rather, it launched an internal investigation and reported that the incident had been the result of an isolated human error on the part of an inexperienced data entry clerk. Tasked with adding a notation of bankruptcy to the complainant's client profile, that bank employee had inadvertently put the notation into the address field instead of the comment field provided for the purpose. Eventually, since it had been included among the particulars of the complainant's address, the notation appeared through the address window of the envelope of the bank statement.

The bank corrected the error and reviewed internal processes to confirm that it had not occurred in other cases. The complainant and the bank reached an agreement on more satisfactory terms of settlement, specifically $1,000 towards the purchase of a new computer system, and the complainant considered the matter resolved.

Commissioner's Findings

Issued January 8, 2002

Jurisdiction: As of January 1, 2001, the Personal Information Protection and Electronic Documents Act applies to federal works, undertakings, or businesses. The Commissioner had jurisdiction in this case because banks are federal works, undertakings, or businesses, as defined in the Act.

Application: Principle 4.5 states that personal information must not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Principle 4.7 states that personal information must be protected by security safeguards appropriate to the sensitivity of the information. Section 5(3) states that an organization may collect, use, or disclose personal information only for purposes that a reasonable person would consider appropriate in the circumstances.

The facts being undisputed, the Commissioner determined that the bank had in this case improperly disclosed the complainant's personal information and had failed to protect the information with appropriate safeguards. He was also of the view that a bank's client would not reasonably expect information about a bankruptcy to appear in the clearly visible address window of a bank statement. He found that the bank was thus in contravention of Principles 4.5 and 4.7 and section 5(3) of the Act.

Nevertheless, he was satisfied that the disclosure at issue had been the result of an isolated human error and that the bank had taken appropriate steps to correct such error. He noted also that the complainant was satisfied with the outcome of the case.

The Commissioner concluded therefore that the complaint was well-founded and resolved.